SEC501: Advanced Security Essentials - Enterprise Defender

Nearly 100% of the material covered in SEC501 is immediately applicable to the daily role of an analyst and a risk manager alike, regardless of industry.

Terry Boedeker, FireEye

For an intensive and in-depth course, I found SEC501 to be extremely educational yet fun and entertaining.

Hisham Al-Muhareb, Saudi Aramco

Effective cybersecurity is more important than ever as attacks become stealthier, have a greater financial impact, and cause broad reputational damage. SEC501: Advanced Security Essentials - Enterprise Defender builds on a solid foundation of core policies and practices to enable security teams to defend their enterprise.

It has been said of security that "prevention is ideal, but detection is a must." However, detection without response has little value. Network security needs to be constantly improved to prevent as many attacks as possible and to swiftly detect and appropriately respond to any breach that does occur. This PREVENT - DETECT - RESPONSE strategy must be in place both externally and internally. As data become more portable and networks continue to be porous, there needs to be an increased focus on data protection. Critical information must be secured regardless of whether it resides on a server, in a robust network architecture, or on a portable device.

Of course, despite an organization's best efforts to prevent network attacks and protect its critical data, some attacks will still be successful. Therefore, organizations need to be able to detect attacks in a timely fashion. This is accomplished by understanding the traffic that is flowing on your networks, looking for indications of an attack, and performing penetration testing and vulnerability analysis against your organization to identify problems and issues before a compromise occurs.

Finally, once an attack is detected we must react quickly and effectively and perform the forensics required. Knowledge gained by understanding how the attacker broke in can be fed back into more preventive and detective measures, completing the security lifecycle.

Course Syllabus

SEC501.1: Defensive Network Architecture

Overview

Section 1 will focus on security in the design and configuration of various enterprise infrastructures. From a security perspective, proper design and configuration protects both the components being configured, as well as the rest of the organization that depends on that gear to defend other components from attacks. In other words, a good house needs a good foundation!

We'll discuss published security benchmarks, vendor guidance for securing various products, and regulatory requirements and how they impact defending infrastructure against specific attacks. To illustrate these points, we'll be looking in detail at securing and defending a router infrastructure against a number of device- and network-based attacks.

In addition, we'll cover securing Windows and Active Directory against specific attacks. Securing Private and Public Cloud Infrastructure against common attacks will also be discussed, and Active Defense approaches will be covered in some detail.

Exercises

Attack and Defense of Router Architectures

Secure Configuration and Audit of Network Architectures

Defenses against Attacks Mounted on Authentication Interfaces

Defending and Attacking Critical Protocols

Logging as a Critical Component of Defense

Man-in-the-Middle Attacks and Defenses

Active Defense:

Honeypots/Honeyports

Honey Documents from Both the Attacker and Defender Perspective

CPE/CMU Credits: 8

Topics

Security Benchmarks, Standards, and the Role of Audit in Defending Infrastructure

Defense Using Authentication and Authorization, and Defending Those Services

The Use of Logging and Security Information and Event Management (SIEM) in Defending an Organization from Attack

SEC501.2: Penetration Testing

Overview

Security is all about understanding, mitigating, and controlling the risk to an organization's critical assets. An organization must understand the changing threat landscape and have the capacity to compare it against its own vulnerabilities that could be exploited to compromise the environment. On day two, students will learn about the variety of tests that can be run against an organization and how to perform effective penetration tests to better understand the security posture for network services, operating systems, and applications. In addition, we'll talk about social engineering and reconnaissance activities to better emulate increasingly prevalent threats to users.

Finding basic vulnerabilities is easy but not necessarily effective if these are not the vulnerabilities attackers exploit to break into a system. Advanced penetration testing involves understanding the variety of systems and applications on a network and how they can be compromised by an attacker. Students will learn about scoping and planning their test projects, performing external and internal network penetration testing, web application testing, and pivoting through the environment like real-world attackers.

Penetration testing is critical to identify an organization's exposure points, but students will also learn how to prioritize and fix these vulnerabilities to increase the organization's overall security.

Exercises

Scanning and Enumeration Fundamentals

More Scanning and Enumeration Options

Vulnerability Scanning with OpenVAS

Exploitation + Metasploit Basics

Basic Web App Scans and Attacks

Metasploit and Pivoting

CPE/CMU Credits: 6

Topics

Introduction to Penetration Testing Concepts

Penetration Testing Scoping and Rules of Engagement

Online Reconnaissance and Offensive Counterintelligence

Social Engineering

Network Mapping and Scanning Techniques

Enterprise Vulnerability Scanning

Network Exploitation Tools and Techniques

Web Application Exploitation Tools and Techniques

Post-Exploitation and Pivoting

OS and Application Exploit Mitigations

Reporting and Debriefing

SEC501.3: Network Detection and Packet Analysis

Overview

"Prevention is ideal, but detection is a must" is a critical motto for network security professionals. While organizations always want to prevent as many attacks as possible, some adversaries will still sneak into the network. In cases where an attack is not successfully prevented, network security professionals need to analyze network traffic to discover attacks in progress, ideally stopping them before significant damage is done. Packet analysis and intrusion detection are at the core of such timely detection. Organizations need to not only detect attacks but also to react in a way that ensures those attacks can be prevented in the future.

Because of the changing landscape of attacks, detecting them is an ongoing challenge. Today's attacks are more stealthy and difficult to find than ever before. Only by understanding the core principles of traffic analysis can you become a skilled analyst capable of differentiating between normal and attack traffic. New attacks are surfacing all the time, so security professionals must be able to write intrusion detection rules that detect the latest attacks before they compromise a network environment.

Traffic analysis and intrusion detection used to be treated as a separate discipline within many organizations. Today, prevention, detection, and response must be closely knit, so that once an attack is detected, defensive measures can be adapted and proactive forensics implemented, and the organization can to continue to operate. This course section will start with a brief introduction to network security monitoring, followed by a refresher on network protocols with an emphasis on fields to look for as security professionals. We'll use tools like TCPdump and Wireshark to analyze packet traces and look for indicators of attacks. We'll use a variety of detection and analysis tools, craft packets with Scapy to test detection, and touch on network forensics and the Security Onion monitoring distribution. Students will also explore Snort as a network Intrusion Detection System, and examine rule signatures in-depth.

Exercises

Analyzing PCAPs with TCPdump

Attack Analysis with Wireshark

Crafting Packets to Test Network Monitoring

Network Forensics with Security Onion: Detecting Malicious Activity

Extracting PCAP Content for Forensics

Snort Basics

Wireshark Network Compromise Analysis

CPE/CMU Credits: 6

Topics

Network Security Monitoring

IP, TCP, and UDP Refresher

Advanced Packet Analysis

Introduction to Network Forensics with Security Onion

Identifying Malicious Content and Streams

Extracting and Repairing Content from PCAP files

Traffic Visualization Tools

Intrusion Detection and Intrusion Prevention

Snort In-Depth

Writing Snort Signatures

Handling Encrypted Network Traffic

SEC501.4: Digital Forensics and Incident Response

Overview

"Bad guy elimination" is the core mission for Digital Forensics and Incident Response (DFIR) professionals. Incidents happen, and organizations rely on these professional responders to find, scope, contain, and remediate evil from their networks. Investigators employ DFIR practices to determine what happened. DFIR teams conduct investigations to find evidence of compromise, remediate the environment, and provide data to generate local threat intelligence for operations teams in order to continuously improve detection. While traditionally seen as a finite process, incident response is now viewed as ongoing, with DFIR professionals searching for evidence of an attacker that has existed in the environment without detection by applying new threat intelligence to existing evidence - the crux of the concept of "threat hunting."

In this section, you will learn the core concepts of both "Digital Forensics" and "Incident Response." We'll explore some of the hundreds of artifacts that can give forensic investigators specific insight about what occurred during an incident. You will also learn how incident response currently operates, after years of evolving, in order to address the dynamic procedures used by attackers to conduct their operations. We'll look at how to integrate DFIR practices into a continuous security operations program.

We'll cover the general guidelines for a cyclical, six-step incident response process. Each step will be examined in detail, including practical examples of how to apply it. Lastly, you'll learn the artifacts that can best be used to determine the extent of suspicious activity within a given environment and how to migrate techniques to a large data set for enterprise-level analysis.

SEC501.5: Malware Analysis

Overview

Malicious software is responsible for many incidents in almost every type of organization. Types of Malware vary widely, from Ransomware and Rootkits to Crypto Currency Miners and Worms. We will define each of the most popular types of malware and walk through multiple examples. The four primary phases of malware analysis will be covered: Fully Automated Analysis, Static Properties Analysis, Interactive Behavior Analysis, and Manual Code Reversing. You will complete various in-depth labs requiring you to fully dissect a live Ransomware specimen from static analysis through code analysis. You will get hands-on experience with tricking the malware through behavioral analysis techniques, as well as decrypting files encrypted by Ransomware by extracting the keys through reverse engineering. All steps are well defined and tested to ensure that the process to achieve these goals is actionable and digestible.

Exercises

Static Properties Analysis of Ransomware

Using Linux Tools such as File, Strings, clamscan, pescan, and VirusTotal

SEC501.6: Enterprise Defender Capstone

Overview

The concluding section of the course will serve as a real-world challenge for students by requiring them to work in teams, use the skills they have learned throughout the course, think outside the box, and solve a range of problems from simple to complex. A web server scoring system and Capture-the-Flag engine will be provided to score students as they submit flags to score points. More difficult challenges will be worth more points. In this defensive exercise, challenges include packet analysis, routing protocols, scanning, malware analysis, and other challenges related to the course material.

CPE/CMU Credits: 6

Additional Information

Laptop Required

A properly configured laptop is required to participate in SEC501: Advanced Security Essentials - Enterprise Defender. Students must have Administrator privileges. Antivirus software is not recommended and may need to be disabled or uninstalled. If you have a production system already installed with data on it that you do not want to lose, it is recommended that you replace it with a clean hard drive.

For this course, SANS will provide you with the following virtual machines:

Custom 64-bit Kali Linux

Custom Windows 10 64-bit

Security Onion

Metasploitable

Cisco CSR 1000V

It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machines can run on your laptop. VMware provides a free tool for Windows and Linux that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities. For Macs, please use this support page from Apple to determine 64-bit capability.

Prior to the start of class, you must install the necessary software as described below. The following are minimal hardware requirements for your laptop:

Please note: VMware Workstation or Fusion are mandatory. You must have the ability to take virtual machine snapshots, and you cannot do this with VMware Player.

You will use VMware to simultaneously run multiple virtual machines when performing hands-on exercises. You must have VMware Workstation installed on your system. If you do not own VMware, you can download a free 30-day trial copy from the VMware website (see above). If taking advantage of the trial offer, please make sure that the license will not expire before you complete the course.

While the labs will run fine for Mac/Fusion students, the lab workbook was written from a Windows host and VMware Workstation perspective. Students opting to bring Mac OS or Linux as their host OS are expected to manage any OS or virtualization software issues that might arise.

Final Checklist

We suggest going over the following checklist to make sure that your laptop is prepared for SEC501: Advanced Security Essentials - Enterprise Defender:

The laptop meets hardware requirements outlined in this section.

If you use a trial copy of VMware Workstation, make sure that the VMware license will not expire before the class ends.

The Windows VMware machine runs using host-only networking mode.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

Prerequisites

While not required, it is recommended that students take SANS's SEC401: Security Essentials course or have the skills taught in that class. This includes a detailed understanding of networks, protocols, and operating systems.

What You Will Receive

In this course, you will receive the following:

MP3 audio files of the complete course lecture

USB with the following virtual machines:

64-bit Kali Linux

64-bit Windows 10 Enterprise

Metasploitable

Security Onion

Cisco CSR 1000V

You Will Be Able To

Identify network security threats against infrastructure and build defensible networks that minimize the impact of attacks

Access tools that can be used to analyze a network to prevent attacks and detect the adversary

Decode and analyze packets using various tools to identify anomalies and improve network defenses

Understand how the adversary compromises systems and how to respond to attacks

Perform penetration testing against an organization to determine vulnerabilities and points of compromise

Apply the six-step incident handling process

Use various tools to identify and remediate malware across your organization

Create a data classification program and deploy data-loss-prevention solutions at both a host and network level

Hands-on Training

Perform detailed analysis of traffic using various sniffers and protocol analyzers

Identify and track attacks and anomalies in network packets

Use various tools to perform vulnerability scanning, penetration testing, and network discovery

Analyze both Windows and Unix systems during an incident to identify signs of a compromise

Find, identify, and clean up various types of malware, such as Ransomware

Quotes from Former Students

"This is the best technical training course I have ever taken. SEC501 exposed me to many valuable concepts and tools but also gave me a solid introduction to those tools so that I can continue to study and improve on my own." - Curt Smith, Hildago Medical Services

"SEC501 offers a great explanation of Net Defense best practices that often get overlooked." - Kirk G., U.S. Navy

"For an intensive and in-depth course, I found SEC501 to be extremely educational yet fun and entertaining." - Hisham Al-Muhareb, Saudi Aramco

Author Statement

"I started off working as a network engineer and architect building enterprise networks. This role organically transitioned into secure design and engineering. My interest at the time in penetration testing and exploitation allowed me to verify that our designs being put into production were truly hardened. This interest eventually drove me into a career in full-blown reverse engineering and 0-day bug discovery/exploit development. After a long history of writing and teaching courses for SANS on advanced penetration testing and exploit writing, I am excited to take that experience and apply it back into defense. We selected a group of rock star authors to build the SEC501 syllabus and content, including Dave Shackleford, Phil Hagen, Matt Bromiley, and Rob Davenport."

- Stephen Sims

Additional Resources

Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.